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Executive summary 


Background 


Considerable effort has been invested in Europe over the last couple of 
years on elD and e-signature interoperability across borders. With the 
elDAS regulation coming into force 1st July 2016, there will be a legal 
obligation to accept el Ds from other countries. One ofthe measures taken 
by the European Commission is to make cross-border building blocks 
available from the CEF Digital Programme to establish digital service 
infrastructures at European level. 


The study 


This study has been initiated by the Nordic Council of Ministers with the 
aim to facilitate a Nordic discussion on eID similarities and differences. 

A project was set up to investigate and map the eID systems of the 
Nordic countries; Denmark, Finland, Iceland, Norway and Sweden. The 
project was asked to investigate and uncover eID related issues of 
importance for cross-border access to electronic services among the 
Nordic countries: 


e The Nordic Council of Ministers is the project's sponsor and the 
formal recipient of the project deliverables. 

e The project was carried out by a team set up by Difi, the Norwegian 
Agency for Public Management and eGovernment. 

e The Nordic Council of Ministers established a reference/resource 
group with participants from the Nordic countries. 


The reference group was to actively participate in the study. The group 
has had three meetings, of which two have been workshop oriented. In 
addition, two experts have been invited to highlight issues of special 
interest. 


The reference group has been the main source ofinformation for the 
survey data, which covers: 


e Policy and legal framework. 
e Organisation. 
e Technology. 


e Information. 


Figure 1: The analytic template 


Policy and 
legal framework 
* Legal framework 
* elD 
+ eSignsture eGov system provision 
elD assurance levels * Specific requirements 
* PIN 


Technology 
* Systemarchitecture 
. Interconnection 


* Civic Registration Number 
Accessto additional attributes 
* QA for attribute registers 
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Issues and considerations 


Cross border eGov services score low on national policy agendas 


The survey question, "Does the eGovernment policy Nordic cross border eGov service 
express ambitions for cross border operation, e.g. making provision would benefit from more 
eGov services available to foreigners?" revealed a lack of support 


explicitly expressed intentions for such. (4.2). 


National eID infrastructures are well organised, but there is a lack of 
Nordic interconnections 
å 


LS 
The survey reveals a Nordic system where individual countries The EU is promoting the creation 
have well organised systems for identification and of digital connections between 
authentication of own resident users. However, these national European countries through the 
systems are not interconnected. CEF Digital Programme. Over time, 
There are, in 2015, no operational cross border connections all Nordic countries will connect to 
between any of the countries with a level of service comparable this infrastructure. 

to that offered to residents within a country. Will these connections fit Nordic 
Several Nordic countries have participated in interconnection needs? 

pilot projects; however, the effort has been technically oriented A coordination on Nordic level 

and limited to proof of concepts. would probably be advantageous 


for the countries as such, as well as 


for Nordic interoperability 


National eID assurance policies differ greatly. eIDAS will not (in itself) 
lead to Nordic harmonisation 


a 


L— 
An elD assurance level is a measure of the trust assigned to a A harmonisation would facilitate 
specific elD credential. National policies about how elD cross-border service provision. 
assurance levels are defined and howthese are applied to Will there be harmonisation? 
specific eGov services vary greatly (3.1). Not by itself. The topic is complex 
All Nordic countries need to initiate local implementations of and loaded with different national 
the elDAS regulation. The regulation is "EU-law” and defines a traditions 


common European norm (low, substantial, high). However, it 
makes no reference to technical specifications, standards or 
procedures. This leaves much work to be done at national levels 
(32): 
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All Nordic countries have a "Waiting Room" issue 


Issues 


The provision of eGov services is commonly dependant on a 


specific PID — a national person identifier with a country specific 


format. This identifier is a carrier of embedded information 
about the citizen; e.g. gender and birth date (5.1). 

Existing procedures to provide a PID to a foreigner are often 
lengthy and paper based. It is technically possible to create 
dummy PIDs on the fly that would fit national format 
requirements and not collide with an existing person identity. 
However, the use of such solutions is hampered by legal and 
institutional barriers. 

When a person has elD tokens from several countries, it is a 
challenge to assure that they all refer to the same physical 
person. There is a risk that the person is already registered in 
the population register, but with reference to some other 
foreign elD. This calls for sharing of PID information across 
Nordic borders. 


Considerations 


et 


Solutions for real time provision of 
PIDs for eGov usage could be 
tested out in pilots and Nordic 
proof of concept workshops 

Nordic countries have a tradition 
for the sharing of civic information, 
e.g. when people are moving. 
Online sharing of national civic 
registration numbers across 
borders would be useful in order 
to solve the “waiting room” issue. 
However, this may imply 
unexpected risks in the Internet 
age. Acase fora Nordic study? 


Differences inthe way information access is organised and national 
information policies make the retrieval of information from other 


countries difficult 


Issues 


Many public services depend on access to additional personal 
information in order to provide the service. This can include 
information about a person's family situation, skills or 
education. In the cross border context, this implies retrieval of 
information from registers in another country. 

Nordic countries have very different system architectures and 


practice for accessing and handling person related information. 


The retrieval of citizen specific information from governmental 
information sources in other countries faces a number of 
challenges. 
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Considerations 


EI 


tradition for trusting each other. 


The Nordic countries have a 


Can they do so also in the Internet 
age? 

Cross-border access to 
authoritative information registers 
in other countries will be very 
challenging. A Nordic survey could 
be auseful first step. 


Nordic elD interoperability is made difficult by a lack of standards 


The information content of national elDs used in the various 
Nordic countries varies from country to country. This 
complicates the conversion of a person's elD from one Nordic 
country's format to another (6.4). 

The elDAS regulation defines a minimum European elD dataset 
for natural persons. The dataset specifies four mandatory 
attributes and four optional attributes. 

For operational usethis specification needs enlargement and 
further specification. Some of this work could advantageously 
be coordinated on Nordic level. 


The Nordic eSignature situation is unique 


Electronic signatures have developed to become a complex 
topic in many circumstances. Considerable confusion results 
from thefact that "signature" is both a legal and a technical 
term (8.1). 

The survey has revealed that most e-government services (and 
other services) in the Nordic countries arebased on the 
authentication of the user's identity only, as a basis for "simple" 
electronic signatures. This is different from European countries 
with a tradition for Notary and Registrar confirmed documents. 
Sweden is the only Nordic country where government agencies 
frequently choose to require advanced electronic signatures to 
be used. To fulfil this and still offer the user friendliness of a 
"click to consent" signature, a central signing service has been 
developed. 


a 


a 


A Nordic elD profile referring to 
international standards would be 
very useful. 

A study could be combined with 
“proof of concept workshops” to 
develop best practice solutions. 
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h— 


How can we make sure that the 
Nordic countries do not make new 
and unnecessary demands for the 
use of qualified or advanced e- 
signatures? 

The "Swedish solution" should be 
investigated further as a 
combination of a pilot project and 
related workshops 
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1. Nordic authentication 
systems 


Identification 
Providing answers tothe question “whoare you?" Typical answers canbe: 


e My nameis John Clark. 
e My useridentityis Joclarc200. 


Authentication 
Providing answers to the request “Please, prove your identity”: 


e The most common response to this demand is to presenta 
password. 


Figure 2: On the Internet, nobody knows you're a 
"aO e 


Source: The New Yorker, 1993. 


1.1 Governmental eID stakeholders 


Survey question 2.1.2 


e Please give a short overview of key (eID) governmental stakeholders 
Roles and responsibilities. 


1.1.1 Denmark 


The Danish eID framework is based on the open OCES standard. OCES is 
the Danish designation for Public Certificates for Electronic Services 
"Offentlige Certifikater til Elektronisk Service". 
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The legal framework of the OCES concept demands agreements to be 
set up between Certification Authorities (CA) and the Agency of 
Digitisation in order to issue OCES certificates. In this agreement, the CA 
undertakes to comply with the terms ofthe certificate policies drawn up 
by the Agency. 

At the moment an agreement exists with Nets/DanID as a CA issuing 
OCES signatures. 


1.1.2 Finland 


The Ministry oftransport and communication (MINTC) isresponsible for 
the laws regulating the Finish eID framework. 

The only publicauthority issuing qualified certificates and strong eID 
means is the Population Register Centre. 

Ministry of Finance (MoF) has a significant role in promoting the 
digitalization ofgovernment services and the Population Register Centre 
is an organisation under the Ministry of Finance. 

FICORA (government agency under MINTC) is responsible of 
supervision according to the law. 


1.1.3 Island 


The central identification and authentication system is operated by 
Registers Iceland. Registers Iceland also issues Icekey (national ID- 
number and a strong password) and a multi-factor Icekey (Icekey plusa 
text message sent tothe user's mobile phone). Registers Iceland belongs 
to the Ministry of the Interior. 

Ministry of Finance and economic affairs is the owner ofthe Icelandic 
root on which the electronic certificates are based. 

Auökenni (a private company) - issuer of qualified electronic 
certificates on smartcards and electronic certificates on SIM-cards under 
the Icelandic root. 
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1.14 Norway 


Responsibility for the eID area is split as follows: 


e Ministry of Local Government and Modernisation: Responsible for 
regulation and implementation (via Difi) of eID usage for e- 
government services. 


e Ministry of Finance: Responsible (via Norwegian Tax 
Administration) for the Norwegian Population Register, which is the 
main attribute provider for identity information. 


e Ministry of Trade, Industry and Fisheries: Owns the law on e- 
signature and is responsible for implementation ofthe eIDAS 
regulation into Norwegian law. 


e Ministry of Transport and Communications: Responsible for 
Norwegian Communications Authority (Nkom) and thereby for 
supervision. 


At directorate level Difi (Agency for Public Management and e- 
Government) is responsible for co-ordination of use of eID towards the 
public sector through the services ofID-porten. Difi also runsthe contact 
and reservation register holding email and mobile phone numbers used 
to alert users, and users' reservations against use of electronic 
communication. 


1.1.5 Sweden 


The Swedish Ministry of Enterprise and Innovation holds the main 
responsibility for policy and legal matters. 

The Swedish E-identification Board is main responsible for the 
Swedish eID System and for the STORK 1 PEPS node. 
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1.2 Authentication for public services 


Survey questions 4.1.1 and 4.2.3 
e Howistheauthentication for public services done in your country? 


e [stherea common gateway or a portal used by eGovernment 
services? 


e Ifso,is the use of this portal mandatory or voluntary? 


12.1 Denmark 


In Denmarkthe use of NemIDas token and NemLog-in as authentication 
portal is mandatory for public-sector service providers. "NemLog-in" 
provides authentication and single sign-on for public eGovernment 
services. The national eID infrastructure is controlled by the state ad 
operated by private Certificate authorities (CA). NemLog-in also provides 
a power of attorney solution. 

NemID is a two-factor eID with username, password and a one time 
password (OTP) The OTP is a credit card sized paper card with 
passwords consisting of six numeric digits. 


1.2.2 Island 


Thereisa common gateway, the Icelandicidentification and authentication 
portal, run by Registers Iceland. The gateway is used bymostpublicagencies 
and many private companies. Usage is not mandatory. 

There is a choice between using IceKey, Multi factor Icekey (+ SMS) 
and electronic certificates in phones or on smartcards. The user is sent 
temporarily to the authentication gateway and returned to the service 
provider with a digitally signed proof of authentication. 
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1.2.3 Norway 


In Norway the elD gateway "ID-porten" is mandatory and used for 
authentication by most public services on governmental level. It is also 
used by many service providers on regional and local level. ID-porten 
currently serve more than 660 public services. 

Norwegian citizens have a choice between four eID alternatives: 


e MinID: Developed and run by Difi. Only for public sector services. 
Security level 3. 


e BankID: Developed and run by banks. Security level 4. 


e Buypass: Private eID supplier offering el Ds on security level 3 and 4. 
The level 4 eID can be used in ID-porten. 


e Commfides: Private eID supplier offering el Ds on security level 3 and 
4. The level 4 eID can be used in ID-porten. 


1.2.4 Finland 


In Finland there are at the moment there two separate gateways used by 
eGoverment services (tunnistus.fi and Vetuma). "Vetuma" is the public 
administration's joint service for citizen electronic authentication and 
payment. Depending on the online service, a citizen can identify 
him/herself with bank identifiers and a certificate card or a mobile 
certificate provided by the telephone operators. Tunnistus.fi is similar to 
Vetuma but providing service only to its owners which are the Tax 
Administration, the Ministry of Employment and The Economy. 

Finland is currently developing a 2nd generation centralised, 
common elD portal. The new government operated eID-portal will do a 
background query for each authentication request, and retrieve up-to- 
date information from the population register. This data set will be sent 
tothe service provider that requested the authentication (a municipality 
or a government agency). 

Usage of common elD portal is at least for now voluntary. 
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Figure 3: National solutions for eID Authentication 


A common authentication portal ? Observations 


DK: Yes  NemLog-in provides 
authentication and single sign-on for 
public eGov services 


IS: Yes islandis. (IceKey, Mobile, Card) ? "he national 


see elD authentication systems 
agencies usedfor eGov services, all seems 


well suitedfor extensionto handle 
NO: Yes  ID-porten. Used by most eGov 


ices and in principle mandatory cross border authentication 
* Denmark, Iceland, Norway and 


FI: Two gateways. However, in the process Finland all have well defined technical 
of developing one common gateway. and organisational “points” that can 
SE: No, but ; The Swedish elD infrastructure Serve as cross border gateways. 
is organised as an elD federation based * The Swedish system is decentralised, 
on SAML 2.0 under the supervision of but organise in a manner wellsuited 
E-legitimationsnamnden. for extension beyond own borders 


1.2.5 Sweden 


E-identification for citizens is issued by private sector - mainly through 
banks and a large telecommunication provider. The publicsectorpurchases 
authentication from the identity providers on a commercial basis. 

The current Swedish eID infrastructure is based on PKI and a 
framework agreement from 2008 with four suppliers (three banks 
selling BankID and Telia). Each individual contracting agency is 
responsible for making call offs from the framework agreement and 
ensuring necessary technical integration of the eID-services into the 
respective e-service. Authentication and SSO between certain e-services 
is coordinated on a voluntary basis. 

The new Swedish eID infrastructure (Svensk e-legitimation) is 
organised as an eID federation based on SAML 2.0 under the supervision 
of the Swedish E-Identification Board, E-legitimationsnàmnden. Issuers 
of elD and service providers are trusted members of this identity 
federation provided. 
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SAML 2.0 is a version ofthe SAML standard that allows for exchange 
of authentication and authorization data between partners within a 
trusted security domain. The trusted partners of the federation has 
access to a SAML metadata system. This system holds updated 
information on partner, roles and technicalities like URL addresses. 
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2. elD Assurance policies 


2.1 National assurance levels for eID 


Identity assurance is a measure for the strength of assurance of an eID 
credential, it indicates to what degree an eID can be trusted as a digital 
proxy for a person online. 


Survey questions 2.4.1 and 3.3 
e Whatare the eID assurance levels in use nationally today? 


e Which assurance levels are typically required for (different) eGov 
services? 


e Arethere guidelines for risk evaluation for selection of eID 
assurance level for a service? 


2.1.1 Denmark 


The NemID solution has one assurance level and it would probably be 
mapped tolevel Substantial in the eIDAS LoA framework. The credentials 
are OTP (two-factor tokens) and online enrollment is allowed (no 
physical presence required during enrollment). UniLog-in and WAYF 
would probably be mapped to level Low. 

DK is working on a revised trust framework in order to align the 
national eID solution with the eIDAS levels of Assurance. 

Guidelines for risk evaluation and selection of appropriate eID 
assurance level is found at http://www.skat.dk/skat.aspx?old= 
1779998&vId=0 


2.1.2 Finland 


Only one level "Strong electronic identification" is defined in the Act on 
Strong Electronic Identification and Electronic Signatures (617/2009). 
The definition is as follows: 


e Strong electronicidentification means the identification of a person 
and the verification of the authenticity and validity of the 
identification by an electronic method based on at leasttwo of the 
following three alternatives: 

1. Password or something similar that the identification device 
holder knows. 

2. Chipcard or something similar that the identification device 
holder has in his possession. 

3. Fingerprint or some other characteristic identifying the device 
holder. 


e Finland has guidelines for risk evaluation and selection of 
appropriate el Dassurance level. It dates from 2001 and is currently 
under revision. 


2.1.3 Iceland 


The Icelandic identification and authentication portal offers a choice of 
assurance levels. Iceland has adopted ISO/IEC 29115:2013. Iceland's 
assurance levels are: 


e [ceKey-Moderate. 
e  Multi-factor IceKey-High. 


e Electronic certificates-Very high. 
Service providers find guidance for risk assessment oftheir services and 


suggested assurance levels at Instructions atthe national portal island.is. 
Very few service providers require more than IceKey to accesstheirservices. 
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The Ministry of Finance and Economic Affairs has issued a 
recommendation to public service providers to always require qualified 
electronic certificates. 


2.1.4 Norway 


"Framework for authentication and non-repudiation in electronic 
communication with and in the public sector" defines four risklevels and 
corresponding requirements for authentication and non-repudiation 
mechanisms. 

The "framework for authentication and non-repudiation for 
electronic communication with and within the public sector" provides 
guidelines for risk evaluation related to authentication. Each service 
provider is solely responsible for assessing risks and setting the required 
assurance level. Most government services are at assurance level 2 or 3. 
A few services require authentication at assurance level 4, notably in the 
health care sector. 


2.1.5 Sweden 


The document "Tillitsramverk fór Svensk e-legitimation" defines three 
assurance levels (LoA 2, 3 and 4) in line with the standard ISO/IEC 29115 
and the eIDAS trust framework. The currently issued eIDsare estimated 
to be corresponding to LoA 3, or "substantial" according to eIDAS. 

Guide for risk assessment is available at https://www. 
informationssakerhet.se/Global/Metodstöd%20för%20LIS/Riskanalys.p 
df. Specific guidelines on choosing the right level of assurance are in 
development. 

The eID assurance discussion comprises two topics: 


e Whatis the assurance level of the eID credential? 


e Whatassurance level will a service provider require in order to 
provide user access? 
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Figure 4: National elD assurance levels 


A heterogeneous landscape 


DK: 


Fi: 


NO: 


SE: 


No strict regime today. 
Working on a revised framework 


Established assurance regime with 
one level only; STRONG 


ISO/IEC 29115:2013 aligned 


- IceKey (basic) Moderate 
- IceKey (mulb-factor) High 

- Electronic certificates Very High 
Four levels 


- eGov services mostly on level 2 or 3 
- eHealth on level 4 


Four assurance levels 
in line with ISO/ IEC 29115. 


Consideration 


Harmonisation 

would facilitate 

cross-border service provision, 

... but is harmonisation realistic ? 
Public services accepting "substantial" 
in one country may demand "high" in 
another country. 

This seems like 

an analytical complex topic 

mixed with established national 
traditions, frameworks and assumptions 


The eIDAS regulation defines a European measurement scale with three 
levels (Low, Substantial, and High). However, the level of assurance 
demanded for access tospecific services varies from sector to sector and 
from country to country. Public services ranked as having a "substantial" 
level in one country may be ranked as "high" in another. 
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3. elD Assurance policies 


3.1 National assurance levels for eID 


Identity assurance is a measure for the strength of assurance of an eID 
credential, it indicates to what degree an eID can be trusted as a digital 
proxy for a person online. 


Survey questions 2.4.1 and 3.3 
e Whatare the eID assurance levels in use nationally today? 


e Which assurance levels are typically required for (different) eGov 
services? 


e Arethere guidelines for risk evaluation for selection of eID 
assurance level for a service? 


3.1.1 Denmark 


The NemID solution has one assurance level and it would probably be 
mapped tolevel Substantial in the eIDAS LoA framework. The credentials 
are OTP (two-factor tokens) and online enrollment is allowed (no 
physical presence required during enrollment). UniLog-in and WAYF 
would probably be mapped to level Low. 

DK is working on a revised trust framework in order to align the 
national eID solution with the eIDAS levels of Assurance. 

Guidelines for risk evaluation and selection of appropriate eID 
assurance level is found at http://www.skat.dk/skat.aspx?old= 
1779998&vId=0 


3.12 Finland 


Only one level "Strong electronic identification" is defined in the Act on 
Strong Electronic Identification and Electronic Signatures (617/2009). 
The definition is as follows: 

Strong electronic identification means the identification of a 
person and the verification of the authenticity and validity of the 
identification by an electronic method based on at least two of the 
following three alternatives: 

1. Password or something similar that the identification device holder 
knows. 


2. Chip card or something similar that the identification device holder 
has in his possession. 


3. Fingerprint or some other characteristic identifying the device 
holder. 


Finland has guidelines for risk evaluation and selection of appropriate 
elD assurance level. It dates from 2001 and is currently under revision. 


3.1.3 Iceland 


The Icelandic identification and authentication portal offers a choice of 
assurance levels. Iceland has adopted ISO/IEC 29115:2013. Iceland’s 
assurance levels are: 


e [ceKey-Moderate. 
e  Multi-factor IceKey-High. 


e Electronic certificates-Very high. 


Service providers find guidance for risk assessment of their services 
and suggested assurance levels at Instructions at the national portal 
island.is. Very few service providers require more than IceKey to access 
their services. 
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The Ministry of Finance and Economic Affairs has issued a 
recommendation to publicservice providers toalways require qualified 
electronic certificates. 


3.1.4 Norway 


“Framework for authentication and non-repudiation in electronic 
communication with and in the public sector” defines four risk levels 
and corresponding requirements for authentication and non- 
repudiation mechanisms. 

The “framework for authentication and non-repudiation for 
electronic communication with and within the public sector” provides 
guidelines for risk evaluation related to authentication. Each service 
provider is solely responsible for assessing risks and setting the required 
assurance. 


3.2 The elDASregulation 


The eIDAS regulation is the European Union's new regulation on electronic 
identification and trust services. Being a regulation, it is an "EU-law" 
directly applicable in all member states.! The regulation enters into force 
on July 1st 2016, with a deadline for implementation in September 2018. 
elDAS aims to solve a range of electronic identity related issues. In 
addition, a range oftrust services are defined, and eIDAS requires theseto 
belegally recognized cross-border (electronic signatures, registered e- 
delivery services, website authentication and more). 


Obligation to "recognise" eID from other countries 

The primary target of eIDAS is to facilitate cross-border access to public 
services. When itenters into force, users can beauthenticated for public 
services using any EU-notified "electronic identification means” 
equivalent to, or better than, the eID issued nationally. 


1For EEA countries Iceland and Norway, the regulation will not become a national law directly, but as eIDAS 
is “EEA relevant”, the EEA countries have an obligation to implement eIDAS into national law. 
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Survey question 2.5.1 


e Please indicate timeline and milestones related to the adoption of 
the eIDAS regime. 


3.2.1 Denmark 


Denmark plansto have a CEF eID node in production, i.e. up and running 
in an operational environment by 1st January 2017. Denmark is also 
running an elD pilot in e-SENS in order to get technical experience 
necessary for setting up the production elD node to be compliant with 
the eIDAS regulation. 

DK expects to integrate Danish e-services in an iterative process after 
the national eID node has been set up in an operational environment. We 
expect the eID node to be able to handle all foreign, notified elDs via 
uniform interface and that the biggest burden therefore will not be on the 
Danish e-Service side. 


3.2.2 Finland 


Updated national legislation and regulations on the basis of eIDAS 
planned to be in force 1/7/2016. 


3.2.3 Iceland 


Registers Iceland has received a 3 year funding from CEF and plans to 
adoptthe identification and authentication portal tothe eIDAS regulation 
within this period. 


3.2.4 Norway 


Work on incorporation of eIDAS in Norwegian legislation is ongoing. 

Norway (Difi, ID-porten) will connect to the STORK (CEF Digital) 
infrastructure second half 2015. The technical measures for 
authenticating persons from other European countries will then be in 
place. 
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3.2.5 Sweden 


Atimeline will be established later this year. The new law complementing 
the eIDAS regulation will enter into force on 1st July, 2016. 

Sweden will build an infrastructure through eIDAS nodes and a 
national proxy service integrated in to the national identity federation 
that enables Swedish service providers to authenticate users from 
other countries. 


3.3 eIDAS requires national implementation efforts 


eIDAS defines a regime with three assurance levels in relation to cross 
border use of notified eIDs; Low, Substantial, and High. However,theeIDAS 
regulation is a legal text without references to technical specifications, 
standards or procedures. This workremains to be done. Nordicalignmentis 
not a requirement, but will facilitate cross-border operations. 

The cross border elD acceptance regime of eIDAS, is based on a 
system where countries apply for "EU notification" of selected national 
eID schemes. The process comprises three main steps 


e Submission; Notifying countries submitsthe notification support 
material to the "Cooperation Network”.? 

e Peerreview: areview of eID scheme under the monitoring of the 
other countries. The applying country may at this stage be asked to 
provide additional information on specific issues. 


e Notification: Publication in the Official Journal. 


The above procedure will be resource demanding and a Nordic sharing 
of expertise and knowhow will be beneficial. Notification is not 
mandatory and it remains to see which Nordic countries will notify. 
Anyhow, it will probably be of interest to provide experts to the 
"Cooperation Network” as well as the review team. 


2 Commission Implementing Decision (EU) 2015/296. 
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4. Cross border connections 


4.1 Futuretrend - Service infrastructures at 
European level 


In 2011 the European Commission adopted a proposal for a Multi- 
Annual Financial Framework for the period 2014-2020, "The 
Connecting Europe Facility" (CEF). The section CEF Digital has a total 
budget of euros 1.14 billion, out of which 970 million euros are 
dedicated to Digital Service Infrastructures (DSIs). A main objective for 
this section is to facilitate the cross-border and cross-sector interaction 
between European public administrations. 


4.1.1 CEF eID Building Block 


CEF Digital comprises a number of re-usable components known as 
DSI Building Blocks. Building blocks for eID and eSignature are among 
the first to be available together with eInvoicing, eDelivery and 
automated translation.? 

The eID building block supports cross-border authentication by the 
interconnection of existing national eID authentication systems. The 
system architecture for the European DSIs is based on dedicated core 
service platforms for the individual DSIs and connection gateways at 
national levels. The core platforms will beimplemented and operated by 
the EU while connection gateways at national level will beimplemented 
and managed locally 


3 https://joinup.ec.europa.eu /co mmunity /c ef/d escription 


A new agency created in 2014, INEA,‘ is responsible for the financial 
implementation of CEF Digital and for the technical management of the 
core service platforms of the DSIs. 

The final technical specifications as well as some operational aspects 
ofthe DSIs brought forward by CEF Digital are still to be finalised. CEF 
Digital is implemented via annual Work Programmes prepared in 
cooperation with the Member States and participating EEA countries. It 
is a "system under construction". However, it seems clear that the 
European Commission is determined to roll out a number of digital 
service infrastructures for cross border eGovernment services in the 
years to come. 


4.1.2 ISA? 


ISA? will cover the period 2016-2020 will replace the ISA programme 
which comesto an end in December 2015. The ISA programme supports 
the development of tools, services and frameworks in the area of e- 
Government through more than 40 actions some of which is listed below: 


e CPSV-AP- A data model for public services. 
e EFIR- The European Federated Interoperability Repository. 
e AMDS- The Asset Description Metadata Schema. 


e joinup- A internet platform facilitating the sharing and reuse of IT 
solutions developed for Public Administrations. 


Solutions are with a few exceptions available free of charge to European 
Public Administrations. 


^ http://ec.europa.eu/inea/en 
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4.2 The Nordic situation - An ocean of islands? 


Survey questions 3.1.5 and 3.3.4 


e Does your national eID policy address issues related to acceptance 
of eIDs from other countries? 


e Does the eGovernment policy express ambitions for cross border 
operation, e.g. making eGov services available to foreigners? 


4.231 Denmark 


The existing eID policy only addresses issues relating to foreign citizens 
who have a residence permit and hence a Danish central registration 
number (cpr.nr.). Foreign citizens can based on this get NemID on the 
same conditions as Danish citizens. 

No explicit policy expressed for making eGov services available for 
foreigners, but Denmark is piloting cross border eGov services through 
the e-SENS project. 


4.2.22 Finland 


No explicit policy expressed for making eGov services available for 
foreigners. 


4.2.3 Iceland 


No explicit policy expressed for making eGov services available for 
foreigners, but Iceland has participated in both STORK projects. A PEPS 
gateway has been established and run under both projects. 
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4.2.4 Norway 


Work has been carried out in Difi on acceptance of foreign elDs and a 
connection to the STORK infrastructure will be in place in the autumn. 


4.2.5 Sweden 


In the budget bills for 2015 and 2016, the Swedish government states 
that the routines for electronic identification and signature should beas 
easy as possible to use, no matter ifthe user is located in Sweden or in 
another country. The routines must also ascertain a high level ofsecurity. 
The government also states that the implementation of the eIDAS- 
regulation is prioritised. 


Figure 5: elD interconnection 


Survey questions | Observations 


elD policy 

1. Does your elD policy addressissues 
related to the acceptance of elDs from 
other countries? 

2. Does your eGov policy express * CEFDigital will imply 
ambitions for making eGov services the building of bridges, 
available to foreigners? but will they suit Nordic 


needs? 
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The Nordic elD ecosystem 
— an ocean of islands ? 


e During the latest years, SE has established several pilots to test 
cross-border authentication and electronic signing, mainly under 
the eSENS project. 
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4.3 Nordic interconnection via EU? 


Survey questions 4.4.1 and 4.4.2 


e Please provide information on plans for connecting up to CEF eID 
Building Block. 


e Pleaseinform on engagement in Nordic cross border pilots. 


4.3.1 Denmark 


Denmarkplansto have an CEF eID node in production, i.e. up and running 
in an operational environment by 31st May 2016. At present DK is 
running an eID pilot in e-SENS to get technical experience necessary for 
setting up a production eID node compliant with the eIDAS regulation. 
DK participates in the e-SENS pilot with eID in the domains business 
lifecycle and citizen lifecycle. Adjacenttothe e-SENS pilot project, the Nordic 
Ministers Council has financed a Nordic e-SENS project with focus on: 


e Identify and execute Cross Border Pilots. 
e Coordinate resources for better efficiency in the e-SENS project. 


e Perform workshops in order to identify pilots as wellas gettinga 
better. 


4.3.2 Finland 


No input. 


4.3.3 Iceland 


Iceland participated in the STORK projects.A PEPS is already operational 
and Registers Iceland has applied for and received positive response for 
funding from CEF Telecom for the continued operation of the service. 
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43.4 Norway 


The Norwegian eID gateway (ID-porten) will be connected to the CEF eID 
Core Service Platform in autumn 2015. Difi is a central actor in the e- 
SENS project, and the Brønnøysund register centre is also involved. The 
work includes piloting in the public procurement area and for 
registration ofa company in Norway from Sweden and Denmark (and the 
opposite direction). 


4.3.5 Sweden 


Sweden takes part in eSENS - Cross Border Company Registration. 


36 Nordic digital identification (eID) 


5. Providing eGov services for 
foreigners 


5.1 Welcometo the Waiting Room 


Figure 6: You are welcometo hang around inour waiting room until youreceive your national 
person identifier 


We have identified you as Sture Jansson from Sweden. 
To access our eGovernment services you must have a national person 
identifier (PID ): 


e Clickhere to apply for a national person identifier (PID). 


Please note that the waiting time for a new PID is typically 2-4 weeks. 


Survey question 4.3.1 


e Access to public services routinely requires a unique national 
identifier e.g. the civic registration number. Ifthis is the case in your 
country, please provide information on this topic. 


Figure 7: Access to eGov services 


Survey question Observations 
* ls access tothe eGov services of your In all Nordic countries 
country dependant on some specific online access to 
national person identifier? eGov services requires 
that the user has å 
domestic PIN 


— a country specificperson identifier. 


5.11 Denmark 


All Danish services for citizens are based on a unique nationalidentifier, 
the central person registration number (CPR). 


5.1.2 Finland 


The civic registration number is most commonly used. 


5.1.3 Iceland 


The unique national identifier, "kennitala”, is fundamental in providing 
eServices. 


5.14 Norway 


A Norwegian person identifier ("fødselsnummer - birth number”) is 
required for most government services and many services in the private 
sector; persons that are not citizens or permanent residents of Norway 
can obtain a "D-nummer" that is compatible in use. 


5.1.5 Sweden 


The Swedish civic registration number "personnummer” is required for 
most government services. 
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6. Enabling foreigners to 
proceed beyond the 
"Waiting Room" 


6.1 All Nordiccitizens have a national personal 
identifier, but... 


All Nordic countries use a system where natural persons are associated 
with a unique national person identifier - a PID. This identifier is 
commonly used as access key to eGov services, however, the syntax of 
this identifier varies much from country to country. 


6.1.1 Denmark 


Personnummer (DK) - alsocalled CPR - consists of 10 digits. The format 
of the first six digits is: DDMMYY. Information of the birth century 
information is embedded in the seventh digit and the last digit carries 
information about gender. 


6.1.2 Finland 


Henkilótunnus (FI) consists of 10 characters separated in two groups 
DDMMYY-XXXX. The first group indicates birthdate using numbers. Then 
comesthe separation character which can be "-" (born in 1900-99) or "A" 
(born in 2000- ). The last 4-characters contain serial number (3 chars)and 
a checksum. Checksum is a single character that is being calculated using 
public algorithm and it verifies the integrity of personal identification 
number. Serial number not only quaranties the uniqueness of personal 


identification number but it also contains the gender information. Odd 
number is for male and even number is for female citizen. 


6.1.3 Iceland 


Kennitala (IS). The kennitala consists of 10 digits and includes 
information about birthday and birth century; DDMMYYxxxC. 


6.1.4 Norway 


Fgdselsnummer/D-nummer (NO) comprises 11 digits DDMMYY-XXX-XX. 
D-numbers are used for non-resident persons and has the same structure 
as "fødselsnummer”, but the date of birth is adjusted to be out of range 
(DD+40) MMYY-XXX-XX. There is an added rule that the ninth digit also 
indicates gender (odd - male, even - female). 


6.1.5 Sweden 


Personnummer/Samordningsnummer (SE). The Swedish number has10 
digits separated in two groups (6 * 4 digits). The first group indicates a 
person's date of birth using the format YYMMDD. The two groups are 
normally separated by a hyphen (-). However, ifthe personis morethan 
100 years old, this is indicated using a plus sign (+) as a separator. 


6.2 Adummy PID for foreigners? 


The waiting room issue is closely related to the use of national PIDs as 
access key to public services. An apparent straight forward solution is to 
assign a national PID tothe foreign person. However, national procedures 
are often lengthy and paper based. This is understandable as the use ofa 
national PID is closely related to legal rights and responsibilities. 

An alternative solution is to assign a dummy PID that fulfils format 
requirements, but where certain information elements are left 
undefined. This PID could typically be of temporary nature and have 
built-in limitations with regard to access rights. 
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It is technically feasible to create dummy PIDs on the fly. However, a 
solution needs to take into account certain legal, institutional and 
information issues: 


e ThedummyPID must not collide with any existing person identity. 


e Thereareinherentlimits to the number of dummies that can be fit 
into a national PID system. 


e The need for a life cycle management of the dummy PIDs is e.g. 
when the person gets a permanent PID. 


e The life cycle management of national PIDs in the situation where 
persons possesses eID tokensand eIDs from several countries. It will 
be a challenge to assurethattheyall refer to the same physical person. 


6.3 Nordic eID datasets 


Figure 8: Convension from Swedish to Norwegian eID 


Sweden Norway 


Natural Personal Identity Basic Norwegian 
with Civic Registration Number elD profile for 
natural persons 


1. Swedish person identifier >= ----- ; 1. Norwegian person 
2. Surname i identifier 
3. Given name -— 2. Assurance level 
3. Language 
4. Authentication method 
er 5. OnBehalfOf 
for a Norwegian elD 
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The format and content ofan eID issued in a foreign country willtypically 
be different tothat used inthe country providingthe public service. The 
picture illustrates the conversion from a Swedish eID toa Norwegian eID. 
The Swedish eID comprises three attributes; a Swedish person identifier, 
surname and Given name. 

The Norwegian elD comprises five attributes; Norwegian PID, 
Assurance level, Language, Authentication method and “OnBehalfOf”. 
None of the Norwegian attributes correspond to the attributes of the 
Swedish eID. 


Survey questions 5.1.1 and 5.1.2 

e Please provide a description of the core eID dataset for natural 
persons. 

e Is the dataset formally defined or merely a commonly used set of 
data (a profile)? 

e Isthecore dataset available as a credential issued by some 
Authoritative Source? 


National laws and regulations determine who may requisition a civic 
registration number. Use is commonly restricted to government 
agencies, health care bodies and organisations with specific documented 
needs. The survey does not have a comprehensive overview ofthis, buta 
first mapping indicates that an exchange of this type of information 
across Nordic borders will meet obstacles. 


6.3.1 Denmark 


The Danish eID is bound tothe Danish natural person certificate (POCES). 
It contains a country code, PID number,5 given name, surname, common 
name/pseudonym, postal address, and e-mail address. 

Person certificates are issued by specific certification authorities 
(CAs) under the supervision of The Danish Agency for Digitalisation. 


5 Personspecifik Identifikationsnummer. 
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6.3.2 Finland 


The Finish eID is based on a core dataset formally described in the 
document "Finnish formal core dataset.pdf”. The document lists more 
than 30 attributes. 

The core dataset is maintained by the Finish Population Register 
Centre. It is possible to use subsets of the core dataset. Datasets 
are implemented as SAML2 profile and signed by the Population 
Register Centre. 


6.3.3 Iceland 


The core dataset consists ofthe unique national identifier (kennitala) and 
the name of the person. The dataset is retrieved from the national 
registry, operated by Registers Iceland. 

Icelandic authentication service (electronic certificate, IceKey), 
issues this information in a digitally signed SAML 2 profile. The same 
information is available in passport and drivers licence. 


6.3.4 Norway 


The mandatory elD authentication portal, ID-porten, issues a SAML 
assertion as response to authentication requests. Profiles are defined by 
the Agency for Public Management and eGovernment (Difi). Currently 
three profiles are in use. 

The basic profile comprises five information elements (SAML 
statements) civic registration number, authentication assurance level, 
language, authentication method and an “OnBehalfOf” statement. 
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6.3.5 Sweden 


The Attribute Specification for the new Swedish eID Framework issued 
by E-legitimationsnàmnden defines four elD profiles. The profile 
"Natural Personal Identity with Civic Registration Number" comprises 
three mandatory information elements; Surname, given name and 
National civic registration number. 


Other profiles are "Natural Personal Identity without Civic 


Registration Number" and "Pseudonym Identity". 


6.4 The eIDAS dataset 


The eIDAS regulation specifies a minimum dataset for natural persons 
that consists of four mandatory and four optional data elements. 


Mandatory 


Current family name(s). 

Current first name(s). 

Date of birth. 

A unique identifier constructed in accordance with the technical 
specifications for the purpose of cross-border identification and which is as 


persistent as possible over time. 


Optional 


First name(s) and family name(s) at birth. 
Place of birth. 
Current address. 


Gender. 


$ Regulation (EU) 2015/1501. 
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Considerations 


e [twould be useful to have a Nordicinteroperability profile, i.e. a 
common Nordic understanding of how the above mentioned 
information elements are interpreted. This would facilitate the 
exchange of basicinformation about natural persons. 

e Whenaresidentof a Nordic country demands access to an e- 
government service in another Nordic country, there is a risk that 
the person is already registered in the country's civic register. This 
is highly possible if the person is logging into a social benefit service 
or a health care service. The study hasrevealed a need to keep trace 
of the national identities of people across country borders. 
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7. Providing services for 
foreigners 


The provision of eGovernment services for a person resident in another 
country will in many cases require access to additional information 
beyond what is held in a standard eID credential. This brings up the issue 
of access to authoritative information registers in other countries. 


Figure 9: Retrieval of authoritative information 


Observations = 


* Howis attribute information » Different approach and system 
organisedin your country? architecture in all countries. 
*DK: The Data Distributor 
«Fl: — X-Road Access from abroad will be a 
challenge 


* Where can I find the additional 


* Do you have a national 
: information needed for my service? 


Quality Assurance regime for 


Authoritative Attribute provision ? * How can I be sure that the attribute 
* No. Data quality and access Ez the mer mat and meaning as 
service is generallyregarded am used to: 
to bethe duty ofthe attribute * How can I be sure that 
responsible organisation. the attribute I look for has the 


information quality level that I need? 


7.1 Organisation of access to authoritative 
information 


Survey question 5.2.1 


e Please provide an overview description of national Authoritative 
Attribute Sources 


e Is provision of attributes organised with some sort of common 
gateway? 

e Istherea defined QAA regime for attributes and attribute 
providers? 


7.1.1 Denmark 


Central Person Register (CPR) is of national Authoritative Attribute 
Sources for natural persons and Central Business Register (CVR) for 
businesses. 

In addition, the authorisation register for health professionals atthe 
National Board of Health (Sundhedsstyrelsens autorisationsregister) 
contains attributes about Danish health professionals amongst others 
their authorisation to work as health professionals. 

Also, the authority service and authorisation administration of 
NemLog-in can be seen as attribute services (NemLog-in’s fuldmagts- 
tjeneste og brugerrettighedsstyring). 


7.12 Finland 


Dataset for Natural persons is based on Population information system 
maintained by Population register centre and local register offices. 

Core dataset for natural persons is available as SAML2 profile via 
Finnish Public Sector eIdentification portal and via Soap/xml gateway 
directly from population information system. 
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7.1.3 Iceland 


National population register and the National property register, run by 
Registers Iceland. The Company register run by the Directorate of 
Internal Revenue. The vehicle register run by the Icelandic Transport 
Authority. A limited health register is run by the Directorate of Health 
(i.e. vaccinations and prescriptions). 

Each person has the right to access information about 
himself/herself and their properties. Access to the National population 
register, the National properties register, The Vehicle register and the 
Vaccination register is provided at "My Pages" at the National Portal 
"Island.is". Access to certain health information, i.e. prescriptions is 
available from the health portal "heilsuvera.is". 


7.1.4 Norway 


Registers are considered as authoritative attribute sources. Norway has 
a well-developed register infrastructure, although each register must 
commonly be accessed directly. Some common interfaces exist, notably 
for different registers provided by the Brønnøysund register centre. 
Registers typically provide a GUI interface for humans and a web service 
interface for system integration. 

Some registers are available, following open data principles. These 
can be reached also from abroad. The Norwegian Population Register is 
subject to access control, and access authorisation may be difficult to 
obtain from outside of Norway. 


7.1.5 Sweden 


The population register is where the population of, Sweden is registered. 
The Swedish Tax Agency is responsible for the population register. You 
remain registered in Sweden until the day you move abroad or die. 
Information regarding the population is distributed to authorities 
through Navet (the Swedish Tax Agency system for distribution of 
information about the registered population) and SPAR (the Swedish 
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population and address register) Registers are considered as 
authoritative attribute sources (although that term is not used). 

The new Swedish eID identity federation is built to handle 
distribution of attributes to e-services through the use of different 
attribute profiles under SAML 2.0, and specificattribute federations have 
already been established within specific sectors (for instance SAMBI for 
the eHealth sector). 


7.2 Case presentation (DK) - The Data Distributor 


Public authorities register various information about individuals, 
businesses, real estate, buildings and more. In Denmark this is labelled 
“basic data” and asa general rule, basic data is to be made freely available 
to all public authorities, private businesses and individuals. 


Figure 10: The Data Distributor (DK) 


DATA DISTRIBUTOR 


BASIC DATA 
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Basic data is regarded to be a common digital resource, which can be 
exploited freely for commercial as well as non-commercial purposes. 
To serve this purpose a Common Public-Sector Data Distributor has 
been established. 

Text taken from GOOD BASIC DATA FOR EVERYONE. (2012) The 
Danish Government. 


7.3 Case presentation (FI) - X-Road 


Finland is creating a data exchange layer based on the Estonian X-Road 
system. 

The Government of Finland has decided to create a data exchange 
layer of e-services and cooperate with Estonia as much as possible. 


Figure 11: X-Road (FI) 
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The X-Road was launched in 2001. The data exchange layer X-Road is a 
technical and organisational environment, which enables secure 
Internet-based data exchange between the state's information systems. 

The X-Road allows institutions/people to securely exchange data as 
well as to ensure people's access to the data maintained and processed 
in state databases. 

Public and private sector enterprises and institutions can connect 
their information systems with the X-Road. This enables them to use X- 
Road services in their own electronic environment or offer their e- 
services via the X-Road. Joining the X-Road enables institutions to save 
resources, since the data exchange layer already exists. This makes data 
exchange more effective both inside the state institutions as wellas for 
communication between a citizen and the state. 
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8. eSignature 


8.1 Types of signatures - legal definitions and 
technology 


The area of electronicsignatures has been a primary focus for legislation 
and standards development in the EU; in fact the eSignature directive 
from 1999, and theresulting standardisation mandates given to CEN and 
ETSI, focus solely on signatures. Only with the introduction of the eIDAS 
regulation is this expanded to eID (and other trust services). 
Considerable confusion results from the fact that "signature" is both a 
legal and a technical term. 

Inthisreport, we seekto clarify this by usingterms in thefollowingway: 


e An “electronicsignature’” is the legal term for the act of signing, i.e. 
giving consent to, something. An electronic signature is a replace- 
mentfor a handwritten signature. 


e A “digital signature” is a technical term for a signature created by 
public key cryptography supported by PKI certificates issued by a 
recognised certification authority. This technology is currently 
needed to support "advanced" and "qualified" signatures (see below). 


The eIDAS regulation defines several types ofsignatures, all of them legal 
terms. Since eIDAS is a legal document, the definitions should be 
technology neutral as far as possible. Taking technology into 
consideration, the eIDAS definitions are to be understood as follows: 


e An “electronic signature” can be created by any technical 
mechanism that creates a link between the 
data/information/document that is signed, and the act of the user. 
Notably, a "click to consent” user interface where an authenticated 


user explicitly confirms his/her intention by clicking a button on a 
web page can be used, preferably in combination with creation of a 
sufficiently strong auditlog record of the event. Some say that even 
a plaintext "signature" atthe bottom of an email constitutes an 
electronic signature. 


e An “advanced electronic signature" (AdES) is in reality not a 
technology neutralterm but requires a "digital signature" and use of 
PKI technology. A "basic" AdES has no quality requirements, e.g. no 
requirement on the quality of the PKI certificate used. 


e An "advanced electronic signature with qualified certificate" 
(AdESoc) adds the requirement for use of a qualified certificate, i.e. a 
certificate issued by a certification authority that is nationally 
supervised and present in the Trusted List system of the EU. 


e A “qualified electronic signature” (QES) additionally requires use of 
a "qualified signature creation device" (QSCD) holding the signer's 
private signing key. A QSCD can be based on various technologies; 
although a smart card was initially foreseen, server-based solutions 
are increasingly being used. 


Replacing handwritten signatures, concepts and misconceptions 
Since the eSignature directive in 1999, an established principle in the EU 
is that whenever an electronic process is used, a QES shall beaccepted as 
the equivalent ofa handwritten signature. This ensures that there always 
exists a valid signature option that can be used in the transition from 
paper based to digital processes. 

Unfortunately, many EU Member States have stated that QES is the 
only mechanism that can replace a handwritten signature. This has 
blocked the development of alternative more user friendly approaches 
that would be sufficiently secure. While a handwritten signature is the 
only mechanism for proving consent on paper, there are several 
alternatives when it comes to digital consent. The choice should be 
guided by a convenience and risk analysis. 

This "QES only" approach is contrary to the intention of eIDAS and 
the eSignature directive, which explicitly state that QES is a maximum 
level. There is no hindrance in eIDAS to accept other forms of electronic 
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signatures, as long as the mechanism(s) used fulfil the purpose of a 
signature in the process. One may argue that AdES/AdESgc/QES should 
only be used when: 


e There is alegal justification for the use ofa specific mechanism. 


e Ariskanalysishas documented its need. 


8.2 The NordiceSignature situation 


Survey questions 2.2.2 and 3.2.1 


e To whatextentdo laws and regulations specify the use of advanced 
and/or qualified e-signatures? 


e Istherea preference for governmentissued certificates for 
signatures towards e-government services? 


82.1 Denmark 


OCES’ digital signatures are advanced electronic signatures under the 
notion ofthe eSignature directive. There are currently norequirements 
to use qualified signatures in Danish regulation. 

Only OCES certificates that are issued by the government can be used 
towards e-government services. 


8.2.2 Finland 


Specification for qualified e-signatures is similar to in the text of the 
eSignature directive 1999/93/EC (Article 5.) 

No legal preference for government issued certificates, but in 
practise only the government is at the moment issuing qualified 
certificates. 


7 Offentlige Certifikater til Elektroniske Services (Public Certificates for Electronic Services). 
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8.2.3 Iceland 


The laws state that a qualified e-signature is equal to a handwritten 
signature. 

There is no preference for government issues certificates. Auökenni 
is in practice the only issuer of electronic certificates in Iceland. However, 
both public and private companies/agencies can apply for an 
intermediate certificate and start issuing eID cards under the Icelandic 
Root. Almost all e-government transactions rely on "simple" electronic 
signatures: Authenticate, fill in form or upload document and "sign" by 
clicking "a submit button. 


8.2.4 Norway 


In most cases, the interpretation in Norway is that an “electronic 
signature” in its simplest form is sufficient. Almost all e-government 
transactions rely on “simple” electronic signatures to authenticate, fill 
out forms or upload documents and sign by clicking a submit button. 

There are no legal requirements for AdES, although, some 
requirements are posed by guideline type documents extending to 
AdESoc However, there is no requirement for a "qualified signature”. 

In Norway, the policy has been to avoid the use of advanced 
signatures. Signing has been so far supported by market actors: BankID, 
Buypass and Commfides. The functionality of ID-porten hasin 2015 been 
extended with a common component for signing and validation. 


8.295 Sweden 


The general legal system does not specify the use of qualified e- 
signatures, but to some extent government specific laws specify 
requirement on advanced e-signatures or e- signaturesin general, anda 
few old government specific laws still specifies signatures on paper. 
Swedish eSignatures created by the new signature service, can be 
supported by qualified certificates and qualified signature creation 
devices (The central signing service will be classified as a QSCD). 
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Certificates for both the currentand the new system are typically issued 
by the private market. 


Figure 12: Signature usage in the Nordiccountries 
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allowed) signingserv.) signingserv.) 


The survey has revealed that most e-government services (and other 
services) in the Nordic countries are based on the authentication of the 
user's identity only, as a basis for "simple” electronic signatures. This is 
different from European countries with a tradition for Notary and 
Registrar confirmed documents. 

Sweden is the only Nordic country where government agencies 
frequently choose to require advanced electronic signatures to be used. 
To fulfil this and still offer the user friendliness of a "click to consent” 
signature, a central signing service has been developed. 


8.3 Case study (NO): Altinn electronic signatures 
Altinn is a core component of the Norwegian e-government 


infrastructure. Originally a portal serving as a single access point for 
businesses to government reporting, Altinn has evolved into a platform 
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that public agencies can use to offer services to both businesses and 
citizens. Reports normally need to be "signed", to confirm the consent 
and commitment of the actor (business or citizen) filing the report. 


Forms requiring only one signature 
If a form requires only one signature, it is signed and submitted in one operation 
when you click on the Sign and submit button. The form will be saved under 


Archived in My message box and submitted to the appropriate public agency. 


Forms requiring more than one signature 


Some forms must be signed by two persons. For example, some forms will also 
need to be signed by the auditor. If you have the right required to sign for the 
first step, the form will be transferred through Altinn to the person who has the 
right to sign for the second step. The form will be submitted automatically when 


it has been duly signed. 


Although Altinn has a solution for AdESoc, signing is almost exclusively 
done by a click to consent mechanism - see the text box for Altinn's 
explanation. In this respect, Altinn serves as a common electronic 
signature solution for the Norwegian government for "simple" electronic 
signatures. 

Altinn operatesa "third party archive” comprising hash values ofthe 
"signed" documentsinformation about the authentication and 
authorisations of the person(s) signing, and a time stamp. This 
information, together with the document content stored in the Altinn 
archives belonging respectively to the user and the publicagency, can be 
used as proof that the electronic signing took place and that the contents 
of the actors' archives are unaltered. 
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8.4 Case Study (SE): The Swedish eSignature 
solution 


Sweden is the only Nordic country where government agencies 
frequently choose to require AdESs. To fulfil this requirement and still 
offer the user friendliness of a "click to consent" signature, Sweden 
implements a central signing service that is integrated into the 
infrastructure as a service requiring authentication only; the user does 
not need a separate signing certificate. 

As shown in the figure, when the user decides to sign, a signing 
request containing a hash value (and not the entire document) is created, 
and the authenticated user is redirected to the signing service with the 
signing request. The signing service creates a one-time key pair and 
certificate and upon a "click to consent" by the user signs the request to 
form a sign response. The response is returned to the service provider, 
where the signing support service combines the response with the 
document to form an AdES-signature. 


Figure 13: The Swedish eSignature solution 
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The content of the one-time signing certificate is based on the user's 
authenticated identity, and the quality of the certificate matches the 
assurance level of the authentication mechanism. If the user's original 
authentication is too weak, the user must re-authenticate using a 
stronger mechanism. When the CA (Certification Authority) for the 
signing service fulfils requirements for qualified certificates and is 
supervised, and the user authentication is sufficiently strong, and the 
crypto hardware of the signing service has the proper product 
certifications, then even a QES can be produced. 

The authenticated user may be a foreigner that is authenticated 
through the STORK (CEF Digital) infrastructure. Thus, the foreigner will 
need an authentication eID only, and the signature produced will be 
"Swedish" in that the Certification Authority is Swedish. The need for 
cross-border AdES signatures disappears. 
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9. Recommendations 


A primary objective for this project has been to encourage Nordic 
discussions on eID related similarities and difference. A foundation was 
created collecting information organised around specific eID related 
themes. This information constitutes the main body ofthe chapters 1-8. 
Input data is displayed on a per country basis and completed with 
analyticobservations and considerations. This has been further compiled 
into the "Issues and considerations" in the executive summary. 

The project was also asked to develop proposals for near term 
actions and joint Nordic projects, particularly in relation to the eIDAS 
Regulation and the CEF Digital initiative.8 The latter is a major EU funding 
instrument to facilitate cross-border interaction between public 
administrations, businesses and citizens, by the development of cross 
border digital service infrastructures at European level. 

Recommendations and project proposals were discussed at the 
reference group workshop in Copenhagen in September 2015. The 
discussions have been summed up in three sections: 


e Recommendations for the NordicCIO Forum (9.1). 
e Proposals for projects and studies (9.2). 


e Recommendations for support actions at the Nordic Council of 
Minsters (9.3). 


8 Connecting Europe Facility: http://ec.europa.eu/in ea/en/connecting- europe-f acility 


9.1 Recommendations for the Nordic CIO Forum 


Figure 14: Recommendation (1) 
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The eID issues and challenges highlighted in chapter 1.3 are in general 
shared by all Nordic countries. This implies that coordinated actions 
would be beneficial. Not so that the solutions would be the same in all 
countries, butona general basis the mutual exchange ofinformation and 
concerted actions towards the EU would be beneficial. 

Å main recommendation is therefore to initiate a broadening and 
deepening of the work of the CIO Forum. 


9.1.1 A Nordic collaboration forum for CEF Digital 


Proposal: A Nordic CEF Digital Collaboration Forum 


e A forum for exchange of information among persons responsible for 
architectural issues and operational services. 


e The group will not take formal policy decisions, but be a forum for 
mutual exchange of information. 
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CEF Digital is a possible source of funding from the EU for digital 
interconnection among Nordic countries. CEF Digital is very broad in its 
scope and covers a number of digital infrastructure areas, for example 
eID, eDelivery, Open Public Data and elnvoicing. 

CEF Digital supports European cross border infrastructure 

development with a mix ofgrants and financial incentives. The "building 
blocks" developed under CEF Digital have evolved as result of 
discussions between the European Commission and programme 
participants. There is much to gain by Nordic collaboration and the 
alignment of initiatives. 
The CEF Digital DSI Building Blocks are technical and operational in 
nature. The technical system architecture comprises a Core Service 
Platform and national connection point. The operational responsibility 
for national access points and related services call for many 
considerations of a highly specialised nature. 

The governance structure for the CEF Digital building blocks is 
complex and resource demanding. An Architecture Management Board 
has recently been introduced in addition to the already defined, CEF 
Expert group and DSI Expert groups. 


9.1.2 Nordic ISA? interest forum 


Proposal: A Nordic ISA? forum 

e ANordicISA? study group for the exchange of information on 
initiatives for, and positions on, the exchange of authoritative 
information amongthe Nordiccountries. The group would arrange 
workshops and thematic meetings. 

e The ISA? forum should preferably have a kernel that can prepare 
materialfor workshops and thematic meetings. The Nordic CIO 
Forum could serve as reference group. 
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The survey documented that the data content ofthe different Nordic eIDs 
differs much. It would be convenient if there existed a Nordic “standard” 
that could be used for the exchange of eID data among the Nordic 
countries. This could be a de facto profile with reference to international 
standards or metadata at European level. 

The cross border provision of public services calls for cooperation 
not only at a technical and organisational level, but also at a semantic 
level. The ISA? programme will address these issues at a general and 
European level. A Nordic “group oflikeminded" participants that address 
issues with a common interest will be beneficial to individual countries 
as well as to the Nordic community as a whole. 

The ISA programme has been EU’s instrument for sharing 
specifications, standards and solutions for cross-border interoperability 
among European countries. The follow up programme ISA? scheduled for 
the period 2016-2020, will continue this practice. 

ISA2 would be a well suited place for Nordic cooperation, the 
exchange of opinions and possibly Nordic alignment of positions on the 
aforementioned issues. 


9.1.3 eIDAS implementation forum 


Proposal: An eIDAS implementation forum 


e Thethematicgroup should have a core team to prepare material for 
workshops and a broader reference group with representatives 
from all Nordic countries. 


e Thethematicgroup should address and document benefits related 
to Nordic harmonisation where relevant, e.g. 


— Notification of a national eID. 


— Implementation ofeIDAS trust services. 
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The eIDAS regulation implies changes to eID assurance policies in all 
Nordic countries. The regulation text is deliberately free of references to 
technical standards or procedures. This leaves much choice - and much 
work - for the different countries. There is reason to assume that 
countries can economise their efforts through knowledge sharing and 
networking with the other countries. 

There may not bea consensus among the Nordic countries on all the 
elDAS issues. Nevertheless, it will be advantageous for the CIO Forum 
and countries to establish an arena where eIDAS issues can beaddressed 
as they arise. 

There may not bea consensus among the Nordic countries on all the 
eIDAS issues. Nevertheless, it will be advantageous for the CIO Forum 
and countries to establish an arena where eIDAS issues can beaddressed 
as they arise. 


9.2 Project proposals 


One aspect seems particularly importantin order to assure high quality 
projects; projects should be relevant not only on Nordic level, but also for 
specific countries. 

The below proposals are closely related to issues identified during 
the project and considered to be beneficial to specific countries as well 
as for the Nordic cooperation more generally. However, the Nordic CIO 
Forum in invited to take on the role as an active project initiator at 
Nordic level supplementing the list of proposals and prioritise projects 
for funding. 

The project proposals are presented as a combination of a draft "call 
for project proposals" (the gray boxes) and supporting explanatory text. 
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Figure 15: Recommendation (2) 
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9.2.1 Systems for the provision of a dummy PID 


All Nordic countries have a "Waiting Room" issue, i.e. public services are 
in general dependant on a PID with a specific format. The format varies 
from country to country, but an inherent problem is that the PID is not 
only a reference number, but a carrier of information about person 
attributes, e.g. gender. 

A possible solution in order tobring the person "beyond the waiting 
room", is the creation of dummy PID numbers that fulfils the format 
requirements and is not already in use by another person. The solution 
is used by the Norwegian health sector to provide acute health care to 
unidentified persons. A special online service provides a "FH-nummer" 
in milliseconds. The PIN is a unique Norwegian reference without 
information about gender or birthdate. The Norwegian solution allows 
for generation of some 160 million Norwegian dummy PIDs. 
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Call for project proposal (DRAFT) 
Provision of dummy PID 


This expected outcome of this project should be the demonstration and proof of 
concept of a real time service for national PIDs: 


« The start point should be an authenticate eID credential from another 
Nordic country. 

* The project should highlight legal and organisational barriers to its 
implementation. 

e The project should have public agencies from at least two Nordic countries 


participating as active project partners. 


9.2.2 Feasibility study of Swedish eSignature solution 


The eIDAS regulation defines several types of electronic signatures - all 
in principle technology neutral However, "advanced electronic 
signature" (AdES) requires the use of PKI technology, "advanced 
electronic signature with qualified certificate" (AdESoc) adds the 
requirement for use of a qualified certificate and a "qualified electronic 
signature" (QES) requires the use of a "qualified signature creation 
device" (QSCD) holding the signer's private signing key. 

Our study has shown that Nordic countries makes limited use of 
advanced electronic signatures (AdES). Sweden seems to be the only 
country where governmentagencies frequently require advanced digital 
electronic signatures (AdES). To fulfil this demand and still offer users 
the friendliness of a "click to consent" signature, Sweden has developed 
a central signing service. 

This project will investigate whether the Swedish approach can be 
adopted by other Nordic countries. This will require an investigation of 
legal frameworkand possible "red tape" barriers. It will also be necessary 
to develop and test out technical adaptions required for the solution to 
work in other countries. 


Nordic digital identification (eID) 67 


Call for project proposal (DRAFT) 


Advanced eSignatures by "click to consent" 
The Swedish signing service is a signing service in line with the eIDAS 


regulation: 


e The projectshould perform an investigation of legal framework and possible 
"red tape" barriers in countries interested in "the Swedish signing service". 
e The project should perform technical proof of concept investigations 


adapted to the technical infrastructure of the relevant countries. 


9.2.3 Survey of Nordic attribute provision systems 


Retrieval of information about a person - a physical person or an 
organisation - from abroad is a challenging task. Survey data from the 
Nordic countries raise some difficult considerations about the 
complexity ofthe issue: 


e Different system architectures and different technological 
approaches. 
Denmark hasa central core - a common distribution solution. 
Norway hasa distributed architecture where service providers have 
to connect to the relevant information registers 


e Different national policy regimes. 
In Denmark, basic datais feely available to all public authorities, 
private business and individuals. In other countries, public 
institutions charge users for the access to information. In Iceland, 
citizens own their own personal data. In Norway, personal data 
registered in the population register is owned by that institution. 
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Call for project proposal (DRAFT) 


Survey of Nordic attribute provision systems 


The expected outcome of this study is: 


« A survey and comparative mapping of systems currently existing and 
planned for attribute provision in the Nordic countries. 

« The survey should not be limited to technical issues but also investigate and 
highlight issues related tolegal framework, policy and organisational issues. 

« The study should line out a possible roadmap for the cross border access to 
authoritative attributes in the Nordic context. 


9.2.4 Analysis of needs and business aspects for Nordic 
cross-border eGovernment services 


There is a long tradition for Nordic cooperation when citizens cross the 
national physical borders for living or working in another country. Social 
security agreements and treaties on the cooperation between population 
registers are well established. Tax authorities of Denmark, Iceland, 
Norway, Finland and Sweden are operating the portal “Nordisk eTax” in 
collaboration with the Council of Ministers. 

In the internet age, when people cross borders and work in other 
countries without relocating physically, "cross border public services 
provision" implies the existence of new issues and a need for new and 
different approaches. These citizens also expect public services to be 
available with instant response and without payment for use. 

This study should investigate needs and the demand for cross border 
access to public services in the Nordic countries. It should investigate in 
depth a limited number of services based on need analysis among a 
relevant selection of Nordic citizens. It should investigate and highlight 
issues related to the financing and payment of some designated cross 
border services. 


Nordic digital identification (eID) 69 


Call for project proposal (DRAFT) 


Analysis of needs and business aspects for Nordic cross-border eGovernment 
Services: 


e Financial support will take the form of a procurement covering project cost 
at 100%. 
e The project length is limited to one year. 


9.3 Proposalforsupportactions 


Figure 16: Recommendation (3) 
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Administrative and financial management of a portfolio of Nordic 
projects is a task that calls for a secretariat support functions at Nordic 
level. The task comprises support to the initiation of new projects as well 
as the selection process. 
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The initiation and selection of new projects falls logically under the 
charge of the Nordic CIO Forum. However, the Forum would need 
secretarial support for the preparation of project candidates as well as 
the administrative and financial supervision of the funded projects. 

Open calls for project proposals with possibly private organisations 
as project executers, will most probably imply a step up of administrative 
and financial administration compared to current practice. For this 
reason it may be advantageous to investigate if project execution should 
be limited to public institutions with with routines and tradition for 
project administration. E.g. national ICT laboratories similar to e.g. 
eGovlab? or executive public agencies like Difi.10 


9.4 A possible timeline? 


The recommendations of chapter 9 was presented to the Nordic CIO 
Forum in November 2015 with a proposed time line as follows: 


e November 2015: 
— Presentation and discussion of recommendations. 
— Nordic CIO Forum. 

e Q1 2016: 


— Investigation of national support for extension and deepening of 
the CIO Forum. 

— Investigation of national support for Nordic projects and studies 
Investigation of possibly for reinforced support organisation at 
NCM level. 


e Next CIO Forum: 
Discussion of future cooperation, projects and support organisation. 


9eGovlab; an eGov centre within Stockholm University. http://www.egovlab.eu/ 
10 Norwegian Agency for Public Management and eGovernment. https://www.difi.no/om-difi /about-difi 
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Sammendrag (norsk) 


EUs forordning om elektronisk identifikasjon (eID) og tjenester til bruk 
ved elektroniske transaksjoner !! slår fast at landene skal akseptere eID- 
er utstedt i andre EU-land på linje med dem man selv utsteder. 
Forordningen har som siktemål å understøtte fri flyt av tjenester - også 
offentlige tjenester - over nasjonale landegrenser. Forordninger er EU- 
lov og gjelder i alle medlemsland på lik linje med deres egne lover. 
Forordningen som gjerne omtales som eIDAS, er EØS relevant og gjelder 
for Norge og Island på lik linje med medlemslandene i EU. 

I prosjektet "NordiceID Survey” er det gjort en kartlegging av de eID 
løsninger som benyttes i Danmark, Island, Finland, Norge og Sverige. 
Prosjektet har hatt som siktemål å kartlegge eI D-relaterte forholdavsærlig 
betydning for digital offentlige tjenesteyting på tvers av landegrensene. 
Det er samlet inn underlagsdata innenfor fire delområder: 


e Lovmessig rammeverk og policy. 
e De nasjonale eID-lgsningene. 
e  [nformasjonsinnhold og tilgang til personrelatert informasjon. 


e  Tilgangsbegrensninger i forhold til nettbasert offentlige tjenester. 


De nordiske landene har etablert ulike løsninger for digital identifisering 
av landets innbyggere. To nærliggende spørsmål dukker opp: 


e Er de nasjonale løsningene tilgjengelige også fra andre nordiske 
land? 


11 Regulation (EU) No 910/2014 of 23rd July 2014 on electronic identification and trust services for 


electronic transactions in the internal market. European Union. 


e Harde nasjonale løsningene fellestrekksom peker mot synergier og 
mulig samarbeid? 


Basert på data samlet inn våren 2015 legges det fram fakta og betrakt- 
ninger som i sin tur danner grunnlag for anbefalinger om nordisk 
samarbeid: 


e Nasjonale eID infrastrukturer er godt organisert ut fra nasjonale 
behov. 


e Nordiske sammenkoplinger på eID nivå er fraværende. 


e Den nye EU-forordningen (eIDAS) er svært overordnet. Den vil ikke 
i seg selv tvinge fram nordisk harmonisering. 

e Enautentisertutenlandsk identitet er bare et første steg mot digital 
offentlig tjenesteyting over landegrensene. For de fleste offentlige 
tjenester må brukereni tillegg tildeles en lokal nasjonal 
identifikator. De nordiske landene har et" venteromsproblem". 

e Nasjonale forskjeller i juridiskrammeverk og valg av teknologi, gjør 
det vanskelig å hente inn og sette sammen informasjon fra offentlige 
kilder i flere land til ett helhetsbilde. 


e Det mangler fellesnordiske avtaler om bruk av standarder. 


e De nordiske landene bruker i (overraskende) liten grad kvalifiserte 
sertifikater ved eSignatur for offentlige tjenester. 


Rapporten munner ut i tre anbefalinger: 


e "Nordic CIO Forum” bør videreutvikles og ta ansvar for 
samarbeidsfora og prosjekter av fellesnordiskinteresse. 


e Nordisk teknologisamarbeid bør videreutvikles gjennom prosjekter 
og studier forankret i et flertallav landene. En fgrste liste over 
prosjektforslag presenteres. 

e Støtteapparatet for prosjektsamarbeid på nordisk nivå bør 
videreutvikles og styrkes. Nordiske fellesprosjekter forutsetter 
administrativ støtte og de trenger ”steder å være”, det vil si steder 
hvor man kan samle prosjektteam og teste ut tekniske løsninger. 
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Nordisk ministerrád er prosjektets initiativtaker. Arbeidet er utfgrt av et 
prosjektteam etablert hos Difi, som er det norske direktoratet for 
forvaltning og IKT. Prosjektet har mottatt faglig stgtte og hjelp til 
datainnsamling fra en referanse-/ressursgruppe med deltakere fra alle 
de nordiske landene. I tillegg har fageksperter vaert invitert inn for à 
belyse utvalgte problemstillinger. 
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Appendix 


Project participants 


The project team 

e Kjell Hansteen (Hansteen Consulting AS). 

e Jon Ølnes (Unibridge AS). 

e Tor Alvik (Difi - Direktoratet for forvaltning og IKT). 


The project team was supported by a reference group with members 
from the participating countries. 


Table 1: Reference group 


DK Anni Buhr Digitaliseringsstyrelsen 

FI Kimmo Måkinen Ministry of Finance 

FI Olli-Pekka Rissanen Ministry of Finance 

IS Halla Björg Baldursdöttir Registers Iceland 

IS Bragi-Leifur Hauksson Registers Iceland 

NO Mette Bredengen Kommunal- og moderniseringdep. 

NO Live Heltberg Kommunal- og moderniseringdep. 

SE Per Granstrand Bolagsverket 

SE Anneli Hagdahl Nåringsdepartementet 

SE Magnus Lundsten Tilvåxtverket 

SE Eva Sartorius eLegitimasjonsnåmnden First meeting 
SE Nils Fjelkegård Nåringsdepartementet; Sverige Last meeting 


Invited speakers 
e Stefan Santesson (3xA Security). 
e Nathan Ducastel (PBLQ, Dutch Institute for Public Administration). 
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Assurance level 
A measure for the strength of assurance of an eID credential or an 
attribute. 


Attribute 
Information that specifies a characteristicof an entity. 


Attribute provider 

An entity that can provide and assert attribute values in line with 
the policies set by the scheme itis used within. 

Authentication 

The act of confirmingthe truth of a claim, e.g. thatthe identification 
of a person by an eID is correct, or that the value assigned to an 
identity attribute is correct. 


Authentication portal 

A service provider that carries out authentication on behalfof other 
service providers and issues credentials that can be verified by these 
service providers. 

Authoritative source 

A recognised source of information; [in our context] a recognised 
register or database of attributes. 

Core dataset 

A set of identity attributes, providing identification of a person and 
encompassing information designated as essential/mandatory in a 
given context. 

Credential 

An information entity asserting a certain stated facts, e.g. a PKI 
certificate or a SAML assertion issued by a relevantauthority third 
party. 

Civic Registration Number 

Unique identifier assigned to natural persons. See also PID. 

Claim 

A statement made by an entity about itself. A claim may bea 
statement about identity or attributes. 
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elD 
Electronic Identity; a collection of Identity Attributes in the form of 
a credential. 


Electronic signature 

Data in electronic form which is attached to or logically associated 
with other data in electronic form and which is used by the signatory 
to sign [el DAS regulation article 3.10] See also chapter on eSignature. 
Identification 

A claim set forth about the unique electronic identity (within a given 
domain/context) of a natural or legal person. The claim may consist 
of one identifier or a set of attributes that together provide unique 
identification. 


Identity assurance 

The ability for a party to determine, with some level of certainty, 
thatan electronic credential representing an entity (human or a 
machine) with which it interacts to effect a transaction, can be 
trusted to actually belong to the entity. 

Identity Provider (IDP) 

[in this context] a trusted service provider that creates, maintains 
and manages identity information. 

Person 


— Natural person: 
A human being, as opposed to a legal person. 
— Physical person: 
See natural person. 
— Legal Person: 
An organisation. A private or publicentity that can be uniquely 
identified. 
PID 
All Nordic citizens havea national PID- a nationalidentifier that 
labelsthe person uniquely within the population of the country. 
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Single Sign-On 

The property to authenticating a person's eID once for access to 
several online services within an identity federation. 

Token 

Any hardware, software or combination that holds credentials or 
information attesting and underpinningthe integrity of claimed 
identity or attributes. 
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This publication presents the survey results and policy 
recommendations of a Nordic study of national elD-systems. 
The countries that have been studied are Denmark, Finland, 
Iceland, Norway and Sweden. The aim of the study is to 
facilitate and lay a foundation for discussions about the 
similarities and differences in legal, organisational, technical 
and data approaches taken by the different countries. 


The survey data has been gathered with the assistance of 
the members of a project reference group. The data has been 
analysed and structured into a number of highlighted issues 
(chapter 1). The highlighted issues have been in turn used as 
baseline for a set of recommendations (chapter 9). 


The Nordic Council of Ministers has provided funding and 
facilitated the staffing of the reference group. The Norwegian 
Agency for Public Management and e-Government, Difi, has 
been the project owner and provided project resources. 
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